Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1244706pxb; Fri, 22 Jan 2021 10:25:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJwY+rXmDcgylSVZcXbzcA+J5MBCn4qjjecqji2uxdCfsqyo5o3cZ6RksQmbU8bd5aaApGeD X-Received: by 2002:a05:6402:26d3:: with SMTP id x19mr4230160edd.0.1611339916336; Fri, 22 Jan 2021 10:25:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611339916; cv=none; d=google.com; s=arc-20160816; b=UpwYnpjFTVNgaPWwH3ABlE3cGO2d74AYZiGMxPmgUdZoq223SZfUBSbET0HEMoxxHR uh1QjC1Pe1phe6vvADUBScedR0/j6vDRGRrbGJKtOxVjD631cL3cJChfB+wFAjBzPrF6 HgYdYUIszGvT4MXrUHl0CFQ9rCx5BpHHl7ZLhOXLmV14GiVfR6R1LMwvdvyOPzGSnhhI AXe8a2QPT9/SjXK0+dOMvHqxJQyHoTVAruPyB7mwBc3GgHKxCQevdD6aXa6faTZzOKG/ 3ZBW7L8TV+frfkr5bemHtME4BAR2jwzvhb4KIsDNOTnSMrjvK9hFosSZVfC7Ztr2LWj5 q15Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+DLn7n7/sXqcxhOUvJX6ljNHoT9wAhV5FyH0i034oH0=; b=bpikAkDz6lTnK1/CLX42HYB8NwcxEDsC38lm64BlEif0MSTK1+kcTMmtrsn/aFirN8 gy9dZyTt5IwgpAj4n0wa2PZosY+08PjbrkQ4FEeS/j9h19CdafsXW/04jkU4eAg5ESs0 RjzJw3SFa4k4lJ/B1cOydOQBwBxDvWSeCM4sOu0sR9T9I2sQN5v+AWDicFZwT5gVSHKL LFgpoEMce1okfcnvgRmiZ12Fk/A2UdI045XXaBk1orwvCYsgjQcIgPC0Yhv92wlYoDKA nOEbnfSU6MRRtcG1cbp1L0oZlMzARESXb0OusjmLB80yMN4ll2LlwAuRV7sQjdOgEO0T 626w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mldD8uyl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i23si3431461ejj.531.2021.01.22.10.24.52; Fri, 22 Jan 2021 10:25:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mldD8uyl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729986AbhAVSYG (ORCPT + 99 others); Fri, 22 Jan 2021 13:24:06 -0500 Received: from mail.kernel.org ([198.145.29.99]:38994 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728583AbhAVOXQ (ORCPT ); Fri, 22 Jan 2021 09:23:16 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2037223A7A; Fri, 22 Jan 2021 14:17:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1611325046; bh=vN3jV6eWtMx4XExwl7nIVv/YMc1xOgfY/VweDoxuuxI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mldD8uyl9+Fc5IQw92/h5i0oc5B0zO9VneCexhGBgywxsi5ROx2WcBwHZrgdsnUf7 +VbGXJGJv8otcNdIELOTb8zQm0j9dWsYt+ffDsBWvq+aRJPBJKVaqrR0Do/P4M3H6H +x43rc2jRLPJf4EwFz1pJibYdQXfYHuMhob2tUqo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Stanislav Fomichev , Eric Dumazet , Marcelo Ricardo Leitner Subject: [PATCH 5.4 29/33] net, sctp, filter: remap copy_from_user failure error Date: Fri, 22 Jan 2021 15:12:45 +0100 Message-Id: <20210122135734.750091426@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210122135733.565501039@linuxfoundation.org> References: <20210122135733.565501039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Borkmann [ no upstream commit ] Fix a potential kernel address leakage for the prerequisite where there is a BPF program attached to the cgroup/setsockopt hook. The latter can only be attached under root, however, if the attached program returns 1 to then run the related kernel handler, an unprivileged program could probe for kernel addresses that way. The reason this is possible is that we're under set_fs(KERNEL_DS) when running the kernel setsockopt handler. Aside from old cBPF there is also SCTP's struct sctp_getaddrs_old which contains pointers in the uapi struct that further need copy_from_user() inside the handler. In the normal case this would just return -EFAULT, but under a temporary KERNEL_DS setting the memory would be copied and we'd end up at a different error code, that is, -EINVAL, for both cases given subsequent validations fail, which then allows the app to distinguish and make use of this fact for probing the address space. In case of later kernel versions this issue won't work anymore thanks to Christoph Hellwig's work that got rid of the various temporary set_fs() address space overrides altogether. One potential option for 5.4 as the only affected stable kernel with the least complexity would be to remap those affected -EFAULT copy_from_user() error codes with -EINVAL such that they cannot be probed anymore. Risk of breakage should be rather low for this particular error case. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Reported-by: Ryota Shiga (Flatt Security) Signed-off-by: Daniel Borkmann Cc: Stanislav Fomichev Cc: Eric Dumazet Cc: Marcelo Ricardo Leitner Signed-off-by: Greg Kroah-Hartman --- net/core/filter.c | 2 +- net/sctp/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1475,7 +1475,7 @@ struct bpf_prog *__get_filter(struct soc if (copy_from_user(prog->insns, fprog->filter, fsize)) { __bpf_prog_free(prog); - return ERR_PTR(-EFAULT); + return ERR_PTR(-EINVAL); } prog->len = fprog->len; --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -1319,7 +1319,7 @@ static int __sctp_setsockopt_connectx(st kaddrs = memdup_user(addrs, addrs_size); if (IS_ERR(kaddrs)) - return PTR_ERR(kaddrs); + return PTR_ERR(kaddrs) == -EFAULT ? -EINVAL : PTR_ERR(kaddrs); /* Allow security module to validate connectx addresses. */ err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX,